DEV Community: Igor Zhivilo The latest articles on DEV Community by Igor Zhivilo (@warolv). https://dev.to/warolv https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F705860%2F1be21bc5-7605-4dc4-aad8-e52c413a5130.jpeg DEV Community: Igor Zhivilo https://dev.to/warolv en Scheduled backup of Vault secrets with Jenkins on Kubernetes Igor Zhivilo Tue, 14 Sep 2021 12:11:32 +0000 https://dev.to/warolv/scheduled-backup-of-vault-secrets-with-jenkins-on-kubernetes-15h6 https://dev.to/warolv/scheduled-backup-of-vault-secrets-with-jenkins-on-kubernetes-15h6 <p>I am a DevOps engineer at Cloudify.co and I will share in this post my experience related to automation of Vault backup creation using Jenkins scheduled job and simple python script which I built to create dump of vault secrets.</p> <p>Let's start.</p> <h2> What is HashiCorp's Vault? </h2> <p>Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret while providing tight access control and recording a detailed audit log.<br> <a href="https://www.vaultproject.io/">https://www.vaultproject.io/</a></p> <h2> Prerequisites: </h2> <ul> <li>Vault Installed</li> <li>Jenkins Installed</li> </ul> <h2> My Setup </h2> <ul> <li>EKS Kubernetes cluster</li> <li>Vault runs on EKS cluster</li> <li>Jenkins runs on EKS cluster</li> </ul> <p>You can read in this tutorial how to run Jenkins on EKS cluster:<br> <a href="https://igorzhivilo.com/jenkins/ci-cd-future-k8s-jenkins">https://igorzhivilo.com/jenkins/ci-cd-future-k8s-jenkins</a></p> <h2> What you will learn from this post? </h2> <ul> <li><p>How to use <a href="https://github.com/hvac/hvac">python hvac</a> library for authentication with Vault programmatically and backup vault secrets.</p></li> <li><p>What is AppRole authentication mechanism in Vault and how to enable/create it.</p></li> <li><p>How to create scheduled backup for Vault secrets with Jenkins pipeline on k8s.</p></li> </ul> <h3> AppRole authentication method in Vault </h3> <p>How can an application programmatically request a token so that it can read secrets from Vault?</p> <p>Using the AppRole which is an authentication mechanism within Vault to allow machines or apps to acquire a token to interact with Vault and using the policies you can set access limitations for your app.</p> <p>It uses RoleID and SecretID for login.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--DGnmC5X4--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/qojtqpq8fektj08fs9k3.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--DGnmC5X4--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/qojtqpq8fektj08fs9k3.png" alt="role-secret"></a> </p> <h3> Create AppRole and policy for Jenkins </h3> <p>I explained how to do it in detail in my blog post: <a href="https://igorzhivilo.com/jenkins/how-to-read-vault-secrets-from-declarative-pipeline">https://igorzhivilo.com/jenkins/how-to-read-vault-secrets-from-declarative-pipeline</a></p> <p>After you applied everything I wrote in this post:</p> <ul> <li>enabled approle in vault </li> <li>v2 kv secrets engine enabled</li> <li>applied all needed policies</li> </ul> <p>eventually you will get <strong>role_id</strong> and <strong>secret_id</strong> which will be used programmatically with 'python hvac'.</p> <p>Another way for 3rd step (apply all needed policies) is to create policy using Vault's UI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl port-forward <span class="nt">-n</span> vault svc/vault 8200 Forwarding from 127.0.0.1:8200 -&gt; 8200 Forwarding from <span class="o">[</span>::1]:8200 -&gt; 8200 </code></pre> </div> <h3> Go to policy tab -&gt; Create ACL Policy </h3> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--2iP8hQN6--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/jqb2j5cpc2f3b2tekbmi.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--2iP8hQN6--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/jqb2j5cpc2f3b2tekbmi.png" alt="acl_policy"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>path <span class="s2">"sys/auth/approle"</span> <span class="o">{</span> capabilities <span class="o">=</span> <span class="o">[</span> <span class="s2">"create"</span>, <span class="s2">"read"</span>, <span class="s2">"update"</span>, <span class="s2">"delete"</span>, <span class="s2">"sudo"</span> <span class="o">]</span> <span class="o">}</span> path <span class="s2">"sys/auth/approle/*"</span> <span class="o">{</span> capabilities <span class="o">=</span> <span class="o">[</span> <span class="s2">"create"</span>, <span class="s2">"read"</span>, <span class="s2">"update"</span>, <span class="s2">"delete"</span> <span class="o">]</span> <span class="o">}</span> path <span class="s2">"auth/approle/*"</span> <span class="o">{</span> capabilities <span class="o">=</span> <span class="o">[</span> <span class="s2">"create"</span>, <span class="s2">"read"</span>, <span class="s2">"update"</span>, <span class="s2">"delete"</span>, <span class="s2">"list"</span> <span class="o">]</span> <span class="o">}</span> path <span class="s2">"sys/policies/acl/*"</span> <span class="o">{</span> capabilities <span class="o">=</span> <span class="o">[</span> <span class="s2">"create"</span>, <span class="s2">"read"</span>, <span class="s2">"update"</span>, <span class="s2">"delete"</span>, <span class="s2">"list"</span> <span class="o">]</span> <span class="o">}</span> path <span class="s2">"secret/data/jenkins/*"</span> <span class="o">{</span> capabilities <span class="o">=</span> <span class="o">[</span> <span class="s2">"create"</span>, <span class="s2">"read"</span>, <span class="s2">"update"</span>, <span class="s2">"delete"</span>, <span class="s2">"list"</span> <span class="o">]</span> <span class="o">}</span> path <span class="s2">"secret/metadata/jenkins/*"</span> <span class="o">{</span> capabilities <span class="o">=</span> <span class="o">[</span> <span class="s2">"create"</span>, <span class="s2">"read"</span>, <span class="s2">"update"</span>, <span class="s2">"delete"</span>, <span class="s2">"list"</span> <span class="o">]</span> <span class="o">}</span> </code></pre> </div> <p>and then run via vault CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>vault write auth/approle/role/jenkins <span class="nv">token_policies</span><span class="o">=</span>jenkins <span class="se">\</span> <span class="nv">token_ttl</span><span class="o">=</span>1h <span class="nv">token_max_ttl</span><span class="o">=</span>4h <span class="c"># Get RoleID and SecretID</span> <span class="nv">$ </span>vault <span class="nb">read </span>auth/approle/role/jenkins/role-id <span class="nv">$ </span>vault write <span class="nt">-f</span> auth/approle/role/jenkins/secret-id </code></pre> </div> <h3> Test that you created correctly role_id/secret_id </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>vault write auth/approle/login <span class="se">\</span> <span class="nv">role_id</span><span class="o">=</span>ROLE_ID <span class="se">\</span> <span class="nv">secret_id</span><span class="o">=</span>SECRET_ID </code></pre> </div> <h2> Testing authentication with vault using python hvac and appRole </h2> <p>Simple python script to test auth with vault:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="nn">hvac</span> <span class="n">VAULT_URL</span> <span class="o">=</span> <span class="s">'http://vault.vault.svc.cluster.local:8200'</span> <span class="n">client</span> <span class="o">=</span> <span class="n">hvac</span><span class="p">.</span><span class="n">Client</span><span class="p">(</span><span class="n">url</span><span class="o">=</span><span class="n">VAULT_URL</span><span class="p">)</span> <span class="n">client</span><span class="p">.</span><span class="n">auth</span><span class="p">.</span><span class="n">approle</span><span class="p">.</span><span class="n">login</span><span class="p">(</span> <span class="n">role_id</span> <span class="o">=</span> <span class="bp">self</span><span class="p">.</span><span class="n">role_id</span><span class="p">,</span> <span class="n">secret_id</span> <span class="o">=</span> <span class="bp">self</span><span class="p">.</span><span class="n">secret_id</span> <span class="p">)</span> <span class="k">assert</span> <span class="n">client</span><span class="p">.</span><span class="n">is_authenticated</span><span class="p">()</span> </code></pre> </div> <p>first run 'pip install hvac'.</p> <p>I am running this script from pod with python container inside of my Kubernetes cluster. </p> <p>URL of vault in k8s cluster: '<a href="http://vault.vault.svc.cluster.local:8200">http://vault.vault.svc.cluster.local:8200</a>'</p> <p>You will see authentication error if authentication is failed, if you do, make sure you applied all the needed policies, enabled applrole, and generated properly role_id / secret_id.</p> <p>Validate role_id/secret_id is correct using vault CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>vault write auth/approle/login <span class="se">\</span>   <span class="nv">role_id</span><span class="o">=</span>YOU_ROLE_ID <span class="se">\</span>   <span class="nv">secret_id</span><span class="o">=</span>YOU_SECRET_ID </code></pre> </div> <h3> Get the list of secrets under 'jenkins' vault_prefix (CLI) </h3> <p>In my case, <strong>vault_prefix</strong> looks like: 'secret/data/jenkins' and all secrets stored under 'jenkins' prefix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>vault kv list secret/jenkins Keys <span class="nt">----</span> aws git web-app1 web-app2 ... </code></pre> </div> <p>Each key in list has additional subset of keys, for example 'aws' has access_key_id/secret_access_keys</p> <h3> Getting the secrets list (python) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">secrets_list_response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="n">secrets</span><span class="p">.</span><span class="n">kv</span><span class="p">.</span><span class="n">v2</span><span class="p">.</span><span class="n">list_secrets</span><span class="p">(</span><span class="n">path</span> <span class="o">=</span> <span class="s">'jenkins'</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="s">'The following keys are available under "jenkins" prefix: {keys}'</span><span class="p">.</span> <span class="nb">format</span><span class="p">(</span><span class="n">keys</span><span class="o">=</span><span class="s">','</span><span class="p">.</span><span class="n">join</span><span class="p">(</span><span class="n">secrets_list_response</span><span class="p">[</span><span class="s">'data'</span><span class="p">][</span><span class="s">'keys'</span><span class="p">])))</span> </code></pre> </div> <p>If you have a permissions error on the secrets list, check you have access to <strong>metadata</strong>, that what you should see in UI for 'jenkins policy':<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>path <span class="s2">"secret/metadata/jenkins/*"</span> <span class="o">{</span> capabilities <span class="o">=</span> <span class="o">[</span> <span class="s2">"create"</span>, <span class="s2">"read"</span>, <span class="s2">"update"</span>, <span class="s2">"delete"</span>, <span class="s2">"list"</span> <span class="o">]</span> <span class="o">}</span> </code></pre> </div> <p>If you don't, add using the UI or vault CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">tee </span>jenkins-policy-metadata.hcl <span class="o">&lt;&lt;</span><span class="sh">"</span><span class="no">EOF</span><span class="sh">" path "secret/metadata/jenkins/*" { capabilities = [ "read" ] } </span><span class="no"> EOF </span><span class="nv">$ </span>vault policy write jenkins jenkins-policy-metadata.hcl </code></pre> </div> <h3> Get a specific secret (python) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">secret_response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="n">secrets</span><span class="p">.</span><span class="n">kv</span><span class="p">.</span><span class="n">v2</span><span class="p">.</span><span class="n">read_secret</span><span class="p">(</span><span class="n">path</span> <span class="o">=</span> <span class="s">'jenkins/aws'</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="n">secret_response</span><span class="p">)</span> </code></pre> </div> <p>If you have a permission error, check you have access to <strong>data</strong> in UI of Vault:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>path <span class="s2">"secret/data/jenkins/*"</span> <span class="o">{</span> capabilities <span class="o">=</span> <span class="o">[</span> <span class="s2">"create"</span>, <span class="s2">"read"</span>, <span class="s2">"update"</span>, <span class="s2">"delete"</span>, <span class="s2">"list"</span> <span class="o">]</span> <span class="o">}</span> </code></pre> </div> <h2> VaultHandler </h2> <p>I created VaultHandler which you can find <a href="https://github.com/warolv/vault-backup">here</a>.</p> <p><a href="https://github.com/warolv/vault-backup">https://github.com/warolv/vault-backup</a></p> <h3> You can use it to: </h3> <ul> <li>Dump all your secrets as encrypted yaml/json files, or you can store it without encryption.</li> <li>Get a list of your secrets.</li> <li>Print all secrets nicely.</li> <li>Populate Vault from yaml/json dumps to a specific 'vault_prefix'.</li> </ul> <p>Also, I think to extend it to use different auth methods, besides appRole, create CLI, to run it in the command line and much more :-)</p> <p>If the idea sounds interesting, <strong>add stars to the repo or clone it</strong>, I will know this way you like the idea.</p> <h2> Create Jenkins scheduled job for daily vault backup </h2> <ul> <li><p>I am using <em>Vault Plugin</em> in Jenkins <a href="https://plugins.jenkins.io/hashicorp-vault-plugin">https://plugins.jenkins.io/hashicorp-vault-plugin</a> to add secrets as env variables during job execution. Read more about how to integrate this plugin into jenkins here: <a href="https://igorzhivilo.com/jenkins/how-to-read-vault-secrets-from-declarative-pipeline">https://igorzhivilo.com/jenkins/how-to-read-vault-secrets-from-declarative-pipeline</a></p></li> <li><p>During job execution POD will be created with 2 contaienrs: awscli to use aws s3 utility, and push created encrypted dump to private s3 bucket (vault-backups), python to run VaultHandler.*<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="kt">def</span> <span class="n">configuration</span> <span class="o">=</span> <span class="o">[</span><span class="nl">vaultUrl:</span> <span class="s2">"${VAULT_URL}"</span><span class="o">,</span> <span class="nl">vaultCredentialId:</span> <span class="s2">"vault-role-app"</span><span class="o">,</span> <span class="nl">engineVersion:</span> <span class="mi">2</span><span class="o">]</span> <span class="kt">def</span> <span class="n">secrets</span> <span class="o">=</span> <span class="o">[</span> <span class="o">[</span><span class="nl">path:</span> <span class="s1">'secret/jenkins/aws'</span><span class="o">,</span> <span class="nl">engineVersion:</span> <span class="mi">2</span><span class="o">,</span> <span class="nl">secretValues:</span> <span class="o">[</span> <span class="o">[</span><span class="nl">envVar:</span> <span class="s1">'AWS_ACCESS_KEY_ID'</span><span class="o">,</span> <span class="nl">vaultKey:</span> <span class="s1">'aws_access_key_id'</span><span class="o">],</span> <span class="o">[</span><span class="nl">envVar:</span> <span class="s1">'AWS_SECRET_ACCESS_KEY'</span><span class="o">,</span> <span class="nl">vaultKey:</span> <span class="s1">'aws_secret_access_key'</span><span class="o">]]],</span> <span class="o">[</span><span class="nl">path:</span> <span class="s1">'secret/jenkins/vault-backup'</span><span class="o">,</span> <span class="nl">engineVersion:</span> <span class="mi">2</span><span class="o">,</span> <span class="nl">secretValues:</span> <span class="o">[</span> <span class="o">[</span><span class="nl">envVar:</span> <span class="s1">'VAULT_ADDR'</span><span class="o">,</span> <span class="nl">vaultKey:</span> <span class="s1">'vault_url'</span><span class="o">],</span> <span class="o">[</span><span class="nl">envVar:</span> <span class="s1">'ROLE_ID'</span><span class="o">,</span> <span class="nl">vaultKey:</span> <span class="s1">'role_id'</span><span class="o">],</span> <span class="o">[</span><span class="nl">envVar:</span> <span class="s1">'SECRET_ID'</span><span class="o">,</span> <span class="nl">vaultKey:</span> <span class="s1">'secret_id'</span><span class="o">],</span> <span class="o">[</span><span class="nl">envVar:</span> <span class="s1">'VAULT_PREFIX'</span><span class="o">,</span> <span class="nl">vaultKey:</span> <span class="s1">'vault_prefix'</span><span class="o">],</span> <span class="o">[</span><span class="nl">envVar:</span> <span class="s1">'DUMP_ENCRYPTION_PASSWORD'</span><span class="o">,</span> <span class="nl">vaultKey:</span> <span class="s1">'encryption_password'</span><span class="o">]]],</span> <span class="o">]</span> <span class="kt">def</span> <span class="n">podTemplate</span> <span class="o">=</span> <span class="s2">""" apiVersion: v1 kind: Pod spec: containers: - name: awscli image: amazon/aws-cli command: - cat tty: true - name: python image: python:3.6 command: - cat tty: true """</span><span class="o">.</span><span class="na">stripIndent</span><span class="o">().</span><span class="na">trim</span><span class="o">()</span> <span class="n">pipeline</span> <span class="o">{</span> <span class="n">agent</span> <span class="o">{</span> <span class="n">kubernetes</span> <span class="o">{</span> <span class="n">defaultContainer</span> <span class="s1">'jnlp'</span> <span class="n">yaml</span> <span class="s2">"${podTemplate}"</span> <span class="o">}</span> <span class="o">}</span> <span class="n">environment</span> <span class="o">{</span> <span class="n">AWS_DEFAULT_REGION</span> <span class="o">=</span> <span class="s2">"eu-west-1"</span> <span class="o">}</span> <span class="n">stages</span> <span class="o">{</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Backup Jenkins'</span><span class="o">){</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">container</span><span class="o">(</span><span class="s1">'python'</span><span class="o">){</span> <span class="n">dir</span><span class="o">(</span><span class="s2">"${env.WORKSPACE}/pipelines-k8s/vault-backup/"</span><span class="o">)</span> <span class="o">{</span> <span class="n">withVault</span><span class="o">([</span><span class="nl">configuration:</span> <span class="n">configuration</span><span class="o">,</span> <span class="nl">vaultSecrets:</span> <span class="n">secrets</span><span class="o">]){</span> <span class="n">sh</span> <span class="s2">"""#!/bin/bash pip install -r requirements.txt python -u vault_handler.py tar -zcvf vault_secrets.json.enc.tar.gz vault_secrets.json.enc """</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="n">container</span><span class="o">(</span><span class="s1">'awscli'</span><span class="o">){</span> <span class="n">dir</span><span class="o">(</span><span class="s2">"${env.WORKSPACE}/pipelines-k8s/vault-backup/"</span><span class="o">)</span> <span class="o">{</span> <span class="n">withVault</span><span class="o">([</span><span class="nl">configuration:</span> <span class="n">configuration</span><span class="o">,</span> <span class="nl">vaultSecrets:</span> <span class="n">secrets</span><span class="o">]){</span> <span class="n">sh</span> <span class="s1">''' aws s3 cp vault_secrets.json.enc.tar.gz s3://vault-backups/$(date +%Y%m%d%H%M)/vault_secrets.json.enc.tar.gz '''</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Now create a new pipeline in jenkins: newitem -&gt; pipeline and make it periodic (daily).</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--allTzEyb--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/in64vew83obvrdg1d6fo.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--allTzEyb--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/in64vew83obvrdg1d6fo.png" alt="new_pipeline"></a></p> <p>In this post, I described how to automate Vault backup creation using Jenkins scheduled job and simple python script which I built to create dump of vault secrets.</p> <p>Thank you for reading, I hope you enjoyed it, see you in the next post.</p> <p>If you want to be notified when the next post of this tutorial is published, please follow me on Twitter <a href="https://twitter.com/warolv">@warolv</a>.</p> <p>Original story on my blog: <a href="https://igorzhivilo.com/vault/scheduled-backup-vault-secrets/">https://igorzhivilo.com/vault/scheduled-backup-vault-secrets/</a></p> vault jenkins kubernetes hashicorp Scheduled backup of Vault secrets with CronJob of Kubernetes Igor Zhivilo Tue, 14 Sep 2021 12:01:21 +0000 https://dev.to/warolv/scheduled-backup-of-vault-secrets-with-cronjob-of-kubernetes-54io https://dev.to/warolv/scheduled-backup-of-vault-secrets-with-cronjob-of-kubernetes-54io <p>I am a DevOps engineer at Cloudify.co and I will share in this post my experience related to automation of Vault backup creation using Kubernetes CronJob. </p> <p>This post is a continuation of the previous post: <a href="https://igorzhivilo.com/vault/scheduled-backup-vault-secrets">https://igorzhivilo.com/vault/scheduled-backup-vault-secrets</a></p> <p>The repository with all the code: <a href="https://github.com/warolv/vault-backup">https://github.com/warolv/vault-backup</a></p> <h2> What is HashiCorp's Vault? </h2> <p>Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret while providing tight access control and recording a detailed audit log.</p> <p><a href="https://www.vaultproject.io/">https://www.vaultproject.io/</a></p> <h2> My Setup </h2> <ul> <li>EKS Kubernetes cluster</li> <li>Vault runs on EKS cluster</li> </ul> <h2> What you will learn from this post? </h2> <ul> <li><p>How to create a scheduled backup for Vault secrets with CronJob of Kubernetes.</p></li> <li><p>How to add Prometheus alerts for failed jobs.</p></li> </ul> <p>You can find all the code presented in my repository: <a href="https://github.com/warolv/vault-backup">https://github.com/warolv/vault-backup</a></p> <p>Let's start.</p> <h2> Building the docker container </h2> <p>First, need to build a docker container based on python3 and include the code of vault_handler.py</p> <p>Need clone the <a href="https://github.com/warolv/vault-backup">repo</a> first with Docker file: 'git clone <a href="https://github.com/warolv/vault-backup">https://github.com/warolv/vault-backup</a>'</p> <p>Docker file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">FROM python:3</span> <span class="s">COPY requirements.txt /</span> <span class="s">RUN pip install -r requirements.txt</span> <span class="s">COPY vault_handler.py /</span> <span class="s">CMD [ "python", "./vault_handler.py" ]</span> </code></pre> </div> <h3> Building image </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># login to dockerhub</span> <span class="nv">$ </span>docker login <span class="nt">-u</span> YOUR_USERNAME <span class="nt">-p</span> YOUR_PASSWORD <span class="c"># Build Docker</span> <span class="nv">$ </span>docker build <span class="nt">-t</span> vault-backup <span class="nb">.</span> </code></pre> </div> <h3> Validate docker container working properly </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>docker run <span class="nt">--name</span> test-vault-backup <span class="nt">--rm</span> vault-backup Specify one of the commands below print print-dump dump populate </code></pre> </div> <p>It's working, we got a list of commands from vault-backup:-)</p> <h3> Pushing vault-backup docker container to docker hub </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>docker tag vault-backup &lt;Your Docker ID&gt;/vault-backup:latest <span class="nv">$ </span>docker push &lt;Your Docker ID&gt;/vault-backup:latest </code></pre> </div> <p>In my case, it's 'warolv/vault-backup:latest', you can find an already built image <a href="https://hub.docker.com/r/warolv/vault-backup">there</a>.</p> <h2> CronJob to run vault-backup on a daily basis </h2> <p><a href="https://github.com/warolv/vault-backup/blob/main/examples/cronjob/cronjob.yaml">https://github.com/warolv/vault-backup/blob/main/examples/cronjob/cronjob.yaml</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">batch/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">CronJob</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-backup</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">schedule</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0</span><span class="nv"> </span><span class="s">1</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*"</span> <span class="na">jobTemplate</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">restartPolicy</span><span class="pi">:</span> <span class="s">Never</span> <span class="na">nodeSelector</span><span class="pi">:</span> <span class="na">instance-type</span><span class="pi">:</span> <span class="s">spot</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">awscli</span> <span class="na">image</span><span class="pi">:</span> <span class="s">amazon/aws-cli:latest</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">aws"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">cp"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/data/vault_secrets.enc"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3://jenkins-backups/vault_secrets.enc"</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">Always</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">secretRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-creds-secret</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">backup-dir</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data</span> <span class="na">initContainers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-backup</span> <span class="na">image</span><span class="pi">:</span> <span class="s">warolv/vault-backup</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">python3"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">vault_handler.py"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">dump"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-dp"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/data/vault_secrets.enc"</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">Always</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">secretRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vault-backup-secret</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">backup-dir</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">backup-dir</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> </code></pre> </div> <h3> Explanation </h3> <ul> <li><p>First 'vault_backup.py' script will run from InitContainer and secrets dump will be created (vault_secrets.enc) and saved to <em>/data</em> folder which is a shared folder for both containers.</p></li> <li><p>The second will run 'awscli' container which will be used to push the secrets dump to a private S3 bucket (AWS CLI is used to copy the secrets dump to the privare S3 bucket). Of course, S3 private bucket must exist.</p></li> <li><p>Credentials for AWS CLI (AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY) and for vault_backup script exported to the environment as k8s secrets.</p></li> <li><p>In this example, I am copying the dump to 's3://jenkins-backups/vault_secrets.enc', in the production use case I suggest adding a timestamp to dump of secrets to be something like vault_secrets_${timestamp}.enc</p></li> </ul> <h3> Creating secrets for CronJob </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># create k8s secret for AWS</span> <span class="nv">$ </span>kubectl create secret generic aws-creds-secret <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">AWS_ACCESS_KEY_ID</span><span class="o">=</span>YOUR_AWS_ACCESS_KEY_ID <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">AWS_SECRET_ACCESS_KEY</span><span class="o">=</span>YOUR_AWS_SECRET_ACCESS_KEY <span class="c"># create k8s secret with all needed data for vault-backup</span> <span class="nv">$ </span>kubectl create secret generic vault-backup-secret <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">VAULT_ADDR</span><span class="o">=</span>http://vault.vault.svc.cluster.local:8200 <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">ROLE_ID</span><span class="o">=</span>YOUR_ROLE_ID <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">SECRET_ID</span><span class="o">=</span>YOUR_SECRET_ID <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">ENCRYPTION_KEY</span><span class="o">=</span>ENCRYPTION_KEY <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">VAULT_PREFIX</span><span class="o">=</span>jenkins </code></pre> </div> <p>It's only an example, you need to put <em>real values</em>.</p> <h3> Deploy vault-backup cronjob </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> examples/cronjob/cronjob.yaml </code></pre> </div> <h3> How to trigger a Job from CronJob? </h3> <p>In case you want to test your job is working properly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl create job <span class="nt">--from</span><span class="o">=</span>cronjob/vault-backup vault-backup-001 </code></pre> </div> <h2> Adding alerts to Prometheus </h2> <p>I am using <a href="https://github.com/kubernetes/kube-state-metrics">kube-state-metrics</a> with Prometheus and we have these metrics available: <a href="https://github.com/kubernetes/kube-state-metrics/blob/master/docs/cronjob-metrics.md">https://github.com/kubernetes/kube-state-metrics/blob/master/docs/cronjob-metrics.md</a></p> <p>Let's add an alert for <em>'failed job'</em> and for cronjob which <em>'takes too much time'</em>, of course, it's only an example to give you an idea.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cronjob.rules</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">SlowCronJob</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">time()-kube_cronjob_next_schedule_time &gt; </span><span class="m">1800</span> <span class="na">for</span><span class="pi">:</span> <span class="s">30m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s">CronJob {{$labels.namespaces}}/{{$labels.cronjob}} is taking more than 30m to complete</span> <span class="na">summary</span><span class="pi">:</span> <span class="s">CronJob taking more than 30m</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">FailedJob</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">kube_job_status_failed &gt; </span><span class="m">0</span> <span class="na">for</span><span class="pi">:</span> <span class="s">30m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Job {{$labels.namespaces}}/{{$labels.job}} failed</span> <span class="na">summary</span><span class="pi">:</span> <span class="s">Job failure</span> </code></pre> </div> <p>In this post, I described how to automate Vault backup creation using Kubernetes CronJob and a simple python script that I built.</p> <p>Thank you for reading, I hope you enjoyed it, see you in the next post.</p> <p>Original story on my blog: <a href="https://igorzhivilo.com/vault/scheduled-backup-vault-cronjob/">https://igorzhivilo.com/vault/scheduled-backup-vault-cronjob/</a></p> <p>If you want to be notified when the next post of this tutorial is published, please follow me on Twitter <a href="https://twitter.com/warolv">@warolv</a>.</p> <p>Instagram: <a href="https://www.instagram.com/warolv">@warolv</a></p> kubernetes vault hashicorp k8s